diff --git a/Knot.files b/Knot.files
index 9410df885..675b8bf29 100644
--- a/Knot.files
+++ b/Knot.files
@@ -615,6 +615,8 @@ src/utils/common/token.h
src/utils/common/util_conf.c
src/utils/common/util_conf.h
src/utils/kcatalogprint/main.c
+src/utils/kdig/dnssec_validation.c
+src/utils/kdig/dnssec_validation.h
src/utils/kdig/kdig_exec.c
src/utils/kdig/kdig_exec.h
src/utils/kdig/kdig_main.c
diff --git a/configure.ac b/configure.ac
index 1514966d8..9a707467e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -629,6 +629,11 @@ AC_ARG_WITH(libnghttp2,
with_libnghttp2=yes
)
+dnl DNSSEC validation in kdig
+AC_ARG_ENABLE([kdig_validation],
+ AS_HELP_STRING([--enable-kdig-validation=yes|no], [DNSSEC validation in kdig [default=yes]]),
+ [enable_kdig_validation="$enableval"], [enable_kdig_validation=yes])
+
AS_IF([test "$enable_utilities" = "yes"], [
AS_IF([test "$with_libidn" != "no"], [
PKG_CHECK_MODULES([libidn2], [libidn2 >= 2.0.0], [
@@ -650,6 +655,12 @@ AS_IF([test "$enable_utilities" = "yes"], [
])
])
+ AS_IF([test "$enable_daemon" = "no"], [enable_kdig_validation=no])
+ AS_IF([test "$enable_kdig_validation" != "no"], [
+ AC_DEFINE([HAVE_KDIG_VALIDATION], [1], [Define to 1 to enable DNSSEC validation in kdig.])
+ ])
+ AM_CONDITIONAL([HAVE_KDIG_VALIDATION], [test "$enable_kdig_validation" = yes])
+
AS_IF([test "$enable_xdp" != "no"], [
PKG_CHECK_MODULES([libmnl], [libmnl], [], [
AC_MSG_ERROR([libmnl not found])
@@ -824,6 +835,7 @@ result_msg_base="
Utilities with IDN: ${with_libidn}
Utilities with DoH: ${with_libnghttp2}
Utilities with Dnstap: ${enable_dnstap}
+ Kdig DNSSEC validation: ${enable_kdig_validation}
MaxMind DB support: ${enable_maxminddb}
Systemd integration: ${enable_systemd}
D-Bus support: ${enable_dbus}
diff --git a/doc/man_kdig.rst b/doc/man_kdig.rst
index f21e2871c..a73009903 100644
--- a/doc/man_kdig.rst
+++ b/doc/man_kdig.rst
@@ -177,6 +177,14 @@ Options
**+**\ [\ **no**\ ]\ **dnssec**
Same as **+**\ [\ **no**\ ]\ **doflag**
+**+**\ [\ **no**\ ]\ **validate**\[\ =\ *LEVEL*\]
+ Also query for DNSKEY, validate DNSSEC in the answer. Implies DO flag.
+ Optional argument specifies verbosity (1-3, default 3).
+
+ NOTICE: this is not a security feature, rather a debugging tool. Kdig
+ doesn't attempt to obtain nor validate the whole trust chain, therefore
+ an attacker can in theory spoof everything and Kdig concludes "valid".
+
**+**\ [\ **no**\ ]\ **all**
Show all packet sections.
diff --git a/src/knot/dnssec/nsec-chain.c b/src/knot/dnssec/nsec-chain.c
index aeb1279fb..09567c3c4 100644
--- a/src/knot/dnssec/nsec-chain.c
+++ b/src/knot/dnssec/nsec-chain.c
@@ -734,7 +734,7 @@ int knot_nsec_fix_chain(zone_update_t *update, uint32_t ttl)
return ret;
}
- ret = zone_adjust_contents(update->new_cont, adjust_cb_void, NULL, false, true, 1, update->a_ctx->node_ptrs);
+ ret = zone_adjust_contents(update->new_cont, adjust_cb_void, NULL, false, true, true, 1, update->a_ctx->node_ptrs);
if (ret != KNOT_EOK) {
return ret;
}
diff --git a/src/knot/dnssec/nsec3-chain.c b/src/knot/dnssec/nsec3-chain.c
index 621cc7eae..41ddd44de 100644
--- a/src/knot/dnssec/nsec3-chain.c
+++ b/src/knot/dnssec/nsec3-chain.c
@@ -665,7 +665,7 @@ int knot_nsec3_fix_chain(zone_update_t *update,
return ret;
}
- ret = zone_adjust_contents(update->new_cont, NULL, adjust_cb_void, false, true, 1, update->a_ctx->nsec3_ptrs);
+ ret = zone_adjust_contents(update->new_cont, NULL, adjust_cb_void, false, true, true, 1, update->a_ctx->nsec3_ptrs);
if (ret != KNOT_EOK) {
return ret;
}
diff --git a/src/knot/dnssec/zone-events.c b/src/knot/dnssec/zone-events.c
index 059fa1ef4..32e528ea2 100644
--- a/src/knot/dnssec/zone-events.c
+++ b/src/knot/dnssec/zone-events.c
@@ -230,7 +230,7 @@ int knot_dnssec_zone_sign(zone_update_t *update,
}
result = zone_adjust_contents(update->new_cont, adjust_cb_flags, NULL,
- false, false, 1, update->a_ctx->node_ptrs);
+ false, false, true, 1, update->a_ctx->node_ptrs);
if (result != KNOT_EOK) {
return result;
}
@@ -367,7 +367,7 @@ int knot_dnssec_sign_update(zone_update_t *update, conf_t *conf)
}
result = zone_adjust_contents(update->new_cont, adjust_cb_flags, NULL,
- false, false, 1, update->a_ctx->node_ptrs);
+ false, false, true, 1, update->a_ctx->node_ptrs);
if (result != KNOT_EOK) {
goto done;
}
diff --git a/src/knot/updates/zone-update.c b/src/knot/updates/zone-update.c
index 8476bed1a..ecaafcd75 100644
--- a/src/knot/updates/zone-update.c
+++ b/src/knot/updates/zone-update.c
@@ -983,7 +983,7 @@ int zone_update_semcheck(conf_t *conf, zone_update_t *update)
// adjust_cb_nsec3_pointer not needed as we don't check DNSSEC here
int ret = zone_adjust_contents(update->new_cont, adjust_cb_flags, NULL,
- false, false, 1, node_ptrs);
+ false, false, true, 1, node_ptrs);
if (ret != KNOT_EOK) {
return ret;
}
diff --git a/src/knot/zone/adjust.c b/src/knot/zone/adjust.c
index d9208bf0e..a11e5a371 100644
--- a/src/knot/zone/adjust.c
+++ b/src/knot/zone/adjust.c
@@ -467,10 +467,10 @@ static int zone_adjust_tree_parallel(zone_tree_t *tree, adjust_ctx_t *ctx,
}
int zone_adjust_contents(zone_contents_t *zone, adjust_cb_t nodes_cb, adjust_cb_t nsec3_cb,
- bool measure_zone, bool adjust_prevs, unsigned threads,
+ bool measure_zone, bool adjust_prevs, bool load_nsec3p, unsigned threads,
zone_tree_t *add_changed)
{
- int ret = zone_contents_load_nsec3param(zone);
+ int ret = load_nsec3p ? zone_contents_load_nsec3param(zone) : KNOT_EOK;
if (ret != KNOT_EOK) {
log_zone_error(zone->apex->owner,
"failed to load NSEC3 parameters (%s)",
@@ -538,10 +538,10 @@ int zone_adjust_update(zone_update_t *update, adjust_cb_t nodes_cb, adjust_cb_t
int zone_adjust_full(zone_contents_t *zone, unsigned threads)
{
int ret = zone_adjust_contents(zone, adjust_cb_flags, adjust_cb_nsec3_flags,
- true, true, 1, NULL);
+ true, true, true, 1, NULL);
if (ret == KNOT_EOK) {
ret = zone_adjust_contents(zone, adjust_cb_nsec3_and_additionals, NULL,
- false, false, threads, NULL);
+ false, false, true, threads, NULL);
}
if (ret == KNOT_EOK) {
additionals_tree_free(zone->adds_tree);
@@ -578,11 +578,11 @@ int zone_adjust_incremental_update(zone_update_t *update, unsigned threads)
};
ret = zone_adjust_contents(update->new_cont, adjust_cb_flags, adjust_cb_nsec3_flags,
- false, true, 1, update->a_ctx->adjust_ptrs);
+ false, true, true, 1, update->a_ctx->adjust_ptrs);
if (ret == KNOT_EOK) {
if (nsec3change) {
ret = zone_adjust_contents(update->new_cont, adjust_cb_nsec3_and_wildcard, NULL,
- false, false, threads, update->a_ctx->adjust_ptrs);
+ false, false, true, threads, update->a_ctx->adjust_ptrs);
if (ret == KNOT_EOK) {
// just measure zone size
ret = zone_adjust_update(update, adjust_cb_void, adjust_cb_void, true);
diff --git a/src/knot/zone/adjust.h b/src/knot/zone/adjust.h
index 779087e31..2f76d4355 100644
--- a/src/knot/zone/adjust.h
+++ b/src/knot/zone/adjust.h
@@ -63,13 +63,14 @@ int adjust_cb_void(zone_node_t *node, adjust_ctx_t *ctx);
* \param nsec3_cb Callback for NSEC3 nodes.
* \param measure_zone While adjusting, count the size and max TTL of the zone.
* \param adjust_prevs Also (re-)generate node->prev pointers.
+ * \param load_nsec3p Load NSEC3PARAM from zone.
* \param threads Operate in parallel using specified threads.
* \param add_changed Special tree to add any changed node (by adjusting) into.
*
* \return KNOT_E*
*/
int zone_adjust_contents(zone_contents_t *zone, adjust_cb_t nodes_cb, adjust_cb_t nsec3_cb,
- bool measure_zone, bool adjust_prevs, unsigned threads,
+ bool measure_zone, bool adjust_prevs, bool load_nsec3p, unsigned threads,
zone_tree_t *add_changed);
/*!
diff --git a/src/knot/zone/node.c b/src/knot/zone/node.c
index 4ce1433a2..87f683c4c 100644
--- a/src/knot/zone/node.c
+++ b/src/knot/zone/node.c
@@ -434,6 +434,21 @@ bool node_rrtype_is_signed(const zone_node_t *node, uint16_t type)
return false;
}
+void node_set_ttl(zone_node_t *node, uint16_t type, uint32_t ttl)
+{
+ if (node == NULL) {
+ return;
+ }
+
+ int remain = node->rrset_count;
+ while (--remain >= 0) {
+ if (node->rrs[remain].type == type) {
+ node->rrs[remain].ttl = ttl;
+ break;
+ }
+ }
+}
+
bool node_bitmap_equal(const zone_node_t *a, const zone_node_t *b)
{
if (a == NULL || b == NULL || a->rrset_count != b->rrset_count) {
diff --git a/src/knot/zone/node.h b/src/knot/zone/node.h
index 3f5071aeb..52679986d 100644
--- a/src/knot/zone/node.h
+++ b/src/knot/zone/node.h
@@ -372,6 +372,15 @@ static inline knot_rrset_t node_rrset(const zone_node_t *node, uint16_t type)
return rrset;
}
+/*!
+ * \brief Set TTL of specific RRset.
+ *
+ * \param node Zone node.
+ * \param type RRtype to search the RRset.
+ * \param ttl TTL to be set.
+ */
+void node_set_ttl(zone_node_t *node, uint16_t type, uint32_t ttl);
+
/*!
* \brief Returns RRSet structure initialized with data from node at position
* equal to \a pos.
diff --git a/src/knot/zone/zonefile.c b/src/knot/zone/zonefile.c
index eec9b64c0..5d96f44c5 100644
--- a/src/knot/zone/zonefile.c
+++ b/src/knot/zone/zonefile.c
@@ -248,7 +248,7 @@ zone_contents_t *zonefile_load(zloader_t *loader, uint16_t threads)
}
ret = zone_adjust_contents(loader->contents, adjust_cb_flags_and_nsec3,
- adjust_cb_nsec3_flags, true, true, 1, NULL);
+ adjust_cb_nsec3_flags, true, true, true, 1, NULL);
if (ret != KNOT_EOK) {
ERROR(zname, "failed to finalize zone contents (%s)", knot_strerror(ret));
goto fail;
@@ -265,7 +265,7 @@ zone_contents_t *zonefile_load(zloader_t *loader, uint16_t threads)
/* The contents will now change possibly messing up NSEC3 tree, it will
be adjusted again at zone_update_commit. */
ret = zone_adjust_contents(loader->contents, unadjust_cb_point_to_nsec3,
- NULL, false, false, 1, NULL);
+ NULL, false, false, true, 1, NULL);
if (ret != KNOT_EOK) {
ERROR(zname, "failed to finalize zone contents (%s)", knot_strerror(ret));
goto fail;
diff --git a/src/utils/Makefile.inc b/src/utils/Makefile.inc
index 4d180a425..63035034a 100644
--- a/src/utils/Makefile.inc
+++ b/src/utils/Makefile.inc
@@ -7,8 +7,7 @@ noinst_LTLIBRARIES += libknotus.la
libknotus_la_CPPFLAGS = $(embedded_libngtcp2_CFLAGS) \
$(AM_CPPFLAGS) $(CFLAG_VISIBILITY) $(gnutls_CFLAGS) \
$(libedit_CFLAGS) $(libidn2_CFLAGS) $(libidn_CFLAGS) \
- $(libkqueue_CFLAGS) $(libnghttp2_CFLAGS) $(libngtcp2_CFLAGS) \
- $(lmdb_CFLAGS)
+ $(libkqueue_CFLAGS) $(libnghttp2_CFLAGS) $(libngtcp2_CFLAGS)
libknotus_la_LDFLAGS = $(AM_LDFLAGS) $(LDFLAG_EXCLUDE_LIBS)
libknotus_la_LIBADD = $(libidn2_LIBS) $(libidn_LIBS) $(libnghttp2_LIBS) $(libngtcp2_LIBS)
libknotus_LIBS = libknotus.la libknot.la $(libcontrib_LIBS) \
@@ -59,6 +58,12 @@ kdig_SOURCES = \
utils/kdig/kdig_params.c \
utils/kdig/kdig_params.h
+if HAVE_KDIG_VALIDATION
+kdig_SOURCES += \
+ utils/kdig/dnssec_validation.c \
+ utils/kdig/dnssec_validation.h
+endif HAVE_KDIG_VALIDATION
+
khost_SOURCES = \
utils/kdig/kdig_exec.c \
utils/kdig/kdig_exec.h \
@@ -81,8 +86,9 @@ knsupdate_SOURCES = \
utils/knsupdate/knsupdate_params.h
kdig_CPPFLAGS = $(libknotus_la_CPPFLAGS)
-kdig_LDADD = $(libknotus_LIBS)
-khost_CPPFLAGS = $(libknotus_la_CPPFLAGS)
+kdig_LDADD = $(libknotd_LIBS) $(libknotus_LIBS)
+kdig_LDFLAGS = $(AM_LDFLAGS)
+khost_CPPFLAGS = $(libknotus_la_CPPFLAGS) -DNO_DNSSEC_VALIDATION
khost_LDADD = $(libknotus_LIBS)
knsec3hash_CPPFLAGS = $(libknotus_la_CPPFLAGS)
knsec3hash_LDADD = libknot.la $(libcontrib_LIBS)
diff --git a/src/utils/kdig/dnssec_validation.c b/src/utils/kdig/dnssec_validation.c
new file mode 100644
index 000000000..4b62b2453
--- /dev/null
+++ b/src/utils/kdig/dnssec_validation.c
@@ -0,0 +1,767 @@
+/* Copyright (C) CZ.NIC, z.s.p.o. and contributors
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ * For more information, see
+ */
+
+#include
+
+#include "utils/kdig/dnssec_validation.h"
+#include "knot/dnssec/zone-nsec.h"
+#include "knot/dnssec/zone-sign.h"
+#include "knot/zone/adjust.h"
+
+#define CNAME_LIMIT 3
+
+typedef struct kdig_dnssec_ctx {
+ zone_contents_t *conts;
+ knot_dname_t *orig_qname;
+ uint16_t orig_qtype;
+ knot_rcode_t orig_rcode;
+ unsigned cname_visit;
+} kdig_dnssec_ctx_t;
+
+typedef struct {
+ zone_contents_t *conts;
+ kdig_validation_log_level_t level;
+} tree_cb_ctx_t;
+
+static void kdv_log(kdig_validation_log_level_t log_level, kdig_validation_log_level_t set_level,
+ const char *prefix, const knot_dname_t *at, const char *msg, ...)
+{
+ if (set_level >= log_level) {
+ fprintf(stdout, ";; %s: ", prefix);
+ va_list args;
+ va_start(args, msg);
+ vfprintf(stdout, msg, args);
+ va_end(args);
+ if (at != NULL) {
+ char at_txt[KNOT_DNAME_TXT_MAXLEN] = { 0 };
+ knot_dname_to_str(at_txt, at, sizeof(at_txt));
+ fprintf(stdout, " at %s\n", at_txt);
+ } else {
+ fprintf(stdout, "\n");
+ }
+ }
+}
+
+#define LOG_OUTCOME(level, at, msg, ...) kdv_log(KDIG_VALIDATION_LOG_OUTCOME, level, "OUTCOME", at, msg, ##__VA_ARGS__)
+#define LOG_ERROR(level, at, msg, ...) kdv_log(KDIG_VALIDATION_LOG_ERRORS, level, "ERROR", at, msg, ##__VA_ARGS__)
+#define LOG_FOUND(level, at, msg, ...) kdv_log(KDIG_VALIDATION_LOG_INFOS, level, "FOUND", at, msg, ##__VA_ARGS__)
+#define LOG_INF(level, at, msg, ...) kdv_log(KDIG_VALIDATION_LOG_INFOS, level, "INFO", at, msg, ##__VA_ARGS__)
+
+static bool dname_between(const knot_dname_t *first, const knot_dname_t *between, const knot_dname_t *second)
+{
+ if (knot_dname_cmp(first, second) < 0) {
+ return knot_dname_cmp(first, between) < 0 && knot_dname_cmp(between, second) < 0;
+ } else {
+ return knot_dname_cmp(first, between) < 0 || knot_dname_cmp(between, second) < 0;
+ }
+}
+
+static int dname_wildcard(const knot_dname_t *from, knot_dname_t *dest, size_t dest_len)
+{
+ size_t from_size = knot_dname_size(from);
+ if (from_size + 2 > dest_len) {
+ return KNOT_ERANGE;
+ }
+ memcpy(dest, "\x01*", 2);
+ memcpy(dest + 2, from, from_size);
+ return KNOT_EOK;
+}
+
+static const knot_dname_t *dname_next_labels(const knot_dname_t *name, unsigned nlabels)
+{
+ return name + knot_dname_prefixlen(name, nlabels);
+}
+
+static bool nsec_covers_name(const knot_dname_t *nsec_owner, const knot_rdata_t *nsec_rdata,
+ const knot_dname_t *name)
+{
+ const knot_dname_t *nsec_next = knot_nsec_next(nsec_rdata);
+ return dname_between(nsec_owner, name, nsec_next);
+}
+
+static bool nsec3_covers_name(const knot_dname_t *nsec3_owner, const knot_rdata_t *nsec3_rdata,
+ const knot_dname_t *name, const knot_dname_t *apex)
+{
+ const uint8_t *nsec3_hash = knot_nsec3_next(nsec3_rdata);
+ uint16_t n3h_len = knot_nsec3_next_len(nsec3_rdata);
+ uint8_t nsec3_next[KNOT_DNAME_MAXLEN] = { 0 };
+ int ret = knot_nsec3_hash_to_dname(nsec3_next, sizeof(nsec3_next), nsec3_hash, n3h_len, apex);
+ return ret == KNOT_EOK /* best effort */ && dname_between(nsec3_owner, name, nsec3_next);
+}
+
+static int check_nsec3(zone_node_t *node, void *data)
+{
+ tree_cb_ctx_t *ctx = data;
+ dnssec_nsec3_params_t *params = &ctx->conts->nsec3_params, found = { 0 };
+ knot_rdataset_t *nsec3 = node_rdataset(node, KNOT_RRTYPE_NSEC3);
+ dnssec_binary_t rd = { .data = nsec3->rdata->data, .size = nsec3->rdata->len };
+ int ret;
+ if ((ret = dnssec_nsec3_params_from_rdata(&found, &rd)) != KNOT_EOK ||
+ !dnssec_nsec3_params_match(&found, params)) {
+ LOG_ERROR(ctx->level, node->owner, "invalid or unmatching NSEC3");
+ return 1;
+ }
+ free(found.salt.data);
+
+ zone_node_t *prev = node_prev(node);
+ nsec3 = node_rdataset(prev, KNOT_RRTYPE_NSEC3);
+ if (prev != node && nsec3_covers_name(prev->owner, nsec3->rdata, node->owner, ctx->conts->apex->owner)) {
+ LOG_ERROR(ctx->level, node->owner, "overlapping NSEC3 ranges");
+ return 1;
+ }
+ return KNOT_EOK;
+}
+
+static bool parents_have_rrtype(zone_node_t *n, uint16_t type)
+{
+ while ((n = node_parent(n)) != NULL) {
+ if (node_rrtype_exists(n, type)) {
+ return true;
+ }
+ }
+ return false;
+}
+
+static int move_rrset(zone_contents_t *c, zone_node_t *n, uint16_t type, const knot_dname_t *target)
+{
+ zone_node_t *unused = NULL;
+ knot_rrset_t rr = node_rrset(n, type);
+ if (knot_rrset_empty(&rr)) {
+ return KNOT_EOK;
+ }
+
+ const knot_rrset_t rr2 = {
+ .owner = (knot_dname_t *)target,
+ .type = rr.type,
+ .rclass = rr.rclass,
+ .ttl = rr.ttl,
+ .rrs = rr.rrs,
+ };
+
+ int ret = zone_contents_add_rr(c, &rr2, &unused);
+ if (ret == KNOT_EOK) {
+ ret = zone_contents_remove_rr(c, &rr, &n);
+ }
+ return ret;
+}
+
+static int rrsig_types_labelcnt(const knot_rdataset_t *rrsig,
+ uint16_t *types, /* must be pre-allocated to rrsig->count+1 */
+ uint16_t *lbcnt)
+{
+ knot_rdata_t *rd = rrsig->rdata;
+ for (int i = 0; i < rrsig->count; i++) {
+ if (*lbcnt == 0) {
+ *lbcnt = knot_rrsig_labels(rd);
+ } else if (*lbcnt != knot_rrsig_labels(rd)) {
+ return KNOT_ESEMCHECK;
+ }
+ types[i] = knot_rrsig_type_covered(rd);
+ rd = knot_rdataset_next(rd);
+ }
+ return KNOT_EOK;
+}
+
+static int restore_orig_ttls(zone_node_t *node, _unused_ void *unused)
+{
+ knot_rdataset_t *rrsig = node_rdataset(node, KNOT_RRTYPE_RRSIG);
+ if (rrsig != NULL) {
+ knot_rdata_t *rd = rrsig->rdata;
+ for (int i = 0; i < rrsig->count; i++) {
+ node_set_ttl(node, knot_rrsig_type_covered(rd), knot_rrsig_original_ttl(rd));
+ rd = knot_rdataset_next(rd);
+ }
+ }
+ return KNOT_EOK;
+}
+
+static bool has_nsec3(const zone_contents_t *conts)
+{
+ return conts->nsec3_params.algorithm > 0;
+}
+
+static bool bitmap_covers(const uint8_t *bitmap, uint16_t bm_len,
+ uint16_t rrtype, const zone_node_t *node)
+{
+ if (node != NULL) {
+ for (int i = 0; i < node->rrset_count; i++) {
+ uint16_t rrt = node->rrs[i].type;
+ if (!dnssec_nsec_bitmap_contains(bitmap, bm_len, rrt)) {
+ return true;
+ }
+ }
+ return false;
+ } else if (rrtype == 0) {
+ return true;
+ } else {
+ return !dnssec_nsec_bitmap_contains(bitmap, bm_len, rrtype);
+ }
+}
+
+static bool has_nodata(zone_contents_t *conts, const knot_dname_t *name, uint16_t type,
+ const zone_node_t *from_node, const knot_dname_t **where)
+{
+ if (!has_nsec3(conts)) {
+ const zone_node_t *node = zone_contents_find_node(conts, name);
+ knot_rrset_t nsec = node_rrset(node, KNOT_RRTYPE_NSEC);
+ if (where != NULL) {
+ *where = nsec.owner;
+ }
+ return !knot_rrset_empty(&nsec)
+ && bitmap_covers(knot_nsec_bitmap(nsec.rrs.rdata),
+ knot_nsec_bitmap_len(nsec.rrs.rdata), type, from_node);
+ }
+
+ const zone_node_t *nsec3_node = NULL, *nsec3_prev = NULL;
+ int ret = zone_contents_find_nsec3_for_name(conts, name, &nsec3_node, &nsec3_prev);
+ if (ret != ZONE_NAME_FOUND) {
+ return false; // best effort
+ }
+ knot_rrset_t nsec3 = node_rrset(nsec3_node, KNOT_RRTYPE_NSEC3);
+ if (where != NULL) {
+ *where = nsec3.owner;
+ }
+ return !knot_rrset_empty(&nsec3) &&
+ bitmap_covers(knot_nsec3_bitmap(nsec3.rrs.rdata),
+ knot_nsec3_bitmap_len(nsec3.rrs.rdata), type, from_node);
+}
+
+static bool has_nxdomain(zone_contents_t *conts, const knot_dname_t *name, bool opt_out,
+ kdig_validation_log_level_t level, bool *has_opt_out,
+ const knot_dname_t **where, const knot_dname_t **encloser)
+{
+ if (!has_nsec3(conts)) {
+ const zone_node_t *match = NULL, *closest = NULL, *prev = NULL;
+ int ret = zone_contents_find_dname(conts, name, &match, &closest, &prev,
+ knot_dname_with_null(name));
+ if (ret < 0 || match == prev) {
+ return false;
+ }
+ while (prev->rrset_count == 0) {
+ prev = node_prev(prev);
+ }
+ knot_rrset_t nsec = node_rrset(prev, KNOT_RRTYPE_NSEC);
+ *where = nsec.owner;
+ *encloser = closest->owner;
+ if (!knot_rrset_empty(&nsec) &&
+ knot_dname_in_bailiwick(knot_nsec_next(nsec.rrs.rdata), name) >= 0) {
+ *encloser = name; // empty-non-terminal detected
+ }
+ return !opt_out && !knot_rrset_empty(&nsec) &&
+ nsec_covers_name(prev->owner, nsec.rrs.rdata, name);
+ }
+
+ // scan for closest encloser represented by some NSEC3, because the closest encloser node
+ // might not be here
+ size_t apex_nlabels = knot_dname_labels(conts->apex->owner, NULL);
+ size_t name_nlabels = knot_dname_labels(name, NULL);
+ const knot_dname_t *enc_where = NULL;
+ *encloser = knot_dname_next_label(name);
+ for (; name_nlabels > apex_nlabels; name_nlabels--) {
+ if (has_nodata(conts, *encloser, 0, NULL, &enc_where) ||
+ // tricky exception: in some cases the closest encloser is
+ // proven by existence of stuff, e.g. RFC 5155 ยง 7.2.6
+ zone_contents_find_node(conts, *encloser) != NULL) {
+ break;
+ }
+ name = *encloser;
+ *encloser = knot_dname_next_label(name);
+ }
+ if (name_nlabels <= apex_nlabels) {
+ LOG_ERROR(level, name, "NSEC3 encloser proof missing");
+ return false;
+ } else {
+ char enc_name[KNOT_DNAME_TXT_MAXLEN] = { 0 };
+ (void)knot_dname_to_str(enc_name, *encloser, sizeof(enc_name));
+ LOG_FOUND(level, enc_where != NULL ? enc_where : *encloser, "NSEC3 encloser %s found", enc_name);
+ }
+
+ const zone_node_t *nsec3_node = NULL, *nsec3_prev = NULL;
+ knot_dname_storage_t nsec3_name;
+ int ret = knot_create_nsec3_owner(nsec3_name, sizeof(nsec3_name), name,
+ conts->apex->owner, &conts->nsec3_params);
+ if (ret == KNOT_EOK) {
+ ret = zone_contents_find_nsec3(conts, nsec3_name, &nsec3_node, &nsec3_prev);
+ }
+ if (ret != ZONE_NAME_NOT_FOUND) {
+ return false; // best effort
+ }
+ knot_rrset_t nsec3 = node_rrset(nsec3_prev, KNOT_RRTYPE_NSEC3);
+ *where = nsec3.owner;
+ if (has_opt_out != NULL) {
+ *has_opt_out = (knot_nsec3_flags(nsec3.rrs.rdata) & KNOT_NSEC3_FLAG_OPT_OUT);
+ }
+ return !knot_rrset_empty(&nsec3) &&
+ nsec3_covers_name(nsec3_prev->owner, nsec3.rrs.rdata, nsec3_name, conts->apex->owner) &&
+ (!opt_out || (knot_nsec3_flags(nsec3.rrs.rdata) & KNOT_NSEC3_FLAG_OPT_OUT));
+}
+
+static int check_existing_with_nsecs(zone_node_t *node, void *data)
+{
+ tree_cb_ctx_t *ctx = data;
+ const knot_dname_t *where = NULL, *encloser = NULL;
+ bool has_opt_out = false;
+ if (node->flags & NODE_FLAGS_DELEG) {
+ bool has_nxd = has_nxdomain(ctx->conts, node->owner, false, KDIG_VALIDATION_LOG_NONE,
+ &has_opt_out, &where, &encloser);
+ if (node_rrtype_exists(node, KNOT_RRTYPE_DS)) {
+ if (has_nodata(ctx->conts, node->owner, KNOT_RRTYPE_DS, NULL, NULL)) {
+ LOG_ERROR(ctx->level, node->owner,
+ "NSEC(3) wrongly proves insecure delegation");
+ return 1;
+ } else if (has_nxd) {
+ if (has_opt_out) {
+ LOG_ERROR(ctx->level, node->owner,
+ "NSEC3 opt-out wrongly applied to secure delegation");
+ } else {
+ LOG_ERROR(ctx->level, node->owner,
+ "NSEC(3) wrongly proves NXDOMAIN for secure delegation");
+ }
+ return 1;
+ }
+ } else if (has_nxd && !has_opt_out) {
+ if (has_nsec3(ctx->conts)) {
+ LOG_ERROR(ctx->level, node->owner,
+ "NSEC3 opt-out flag missing, proving NXDOMAIN fro insecure delegation");
+ } else {
+ LOG_ERROR(ctx->level, node->owner,
+ "NSEC wrongly proves NXDOMAIN for insecure delegation");
+ }
+ return 1;
+ }
+ } else if (!(node->flags & NODE_FLAGS_NONAUTH)) {
+ if (has_nodata(ctx->conts, node->owner, 0, node, NULL)) {
+ LOG_ERROR(ctx->level, node->owner, "NSEC(3) wrongly proves NODATA");
+ return 1;
+ } else if (has_nxdomain(ctx->conts, node->owner, false, KDIG_VALIDATION_LOG_NONE,
+ &has_opt_out, &where, &encloser) &&
+ (!has_opt_out || (node->flags & NODE_FLAGS_SUBTREE_AUTH))) {
+ LOG_ERROR(ctx->level, node->owner, "NSEC(3) wrongly proves NXDOMAIN");
+ return 1;
+ }
+ }
+ return KNOT_EOK;
+}
+
+static const knot_rrset_t *find_first(knot_pkt_t *pkt, uint16_t rrtype, knot_section_t limit)
+{
+ for (int i = 0; i <= limit; i++) {
+ for (int j = 0; j < pkt->sections[i].count; j++) {
+ const knot_rrset_t *rr = knot_pkt_rr(&pkt->sections[i], j);
+ if (rr->type == rrtype) {
+ return rr;
+ }
+ }
+ }
+ return NULL;
+}
+
+int remove_cnames(zone_node_t *node, void *data)
+{
+ knot_rrset_t cname = node_rrset(node, KNOT_RRTYPE_CNAME);
+ if (!knot_rrset_empty(&cname)) {
+ zone_node_t *unused = NULL;
+ return zone_contents_remove_rr(data, &cname, &unused);
+ }
+ return KNOT_EOK;
+}
+
+static int rrsets_pkt2conts(knot_pkt_t *pkt, zone_contents_t *conts,
+ knot_section_t limit, uint16_t type_only,
+ kdig_validation_log_level_t level)
+{
+ int ret = KNOT_EOK;
+ for (int i = 0; i <= limit && ret == KNOT_EOK; i++) {
+ for (int j = 0; j < pkt->sections[i].count && ret == KNOT_EOK; j++) {
+ const knot_rrset_t *rr = knot_pkt_rr(&pkt->sections[i], j);
+ if (rr->type == KNOT_RRTYPE_RRSIG) {
+ assert(rr->rrs.count == 1);
+ if (type_only && knot_rrsig_type_covered(rr->rrs.rdata) != type_only) {
+ continue;
+ }
+ } else if ((type_only && rr->type != type_only) || knot_rrtype_is_metatype(rr->type)) {
+ continue;
+ }
+
+ uint16_t rr_pos = knot_pkt_rr_offset(&pkt->sections[i], j);
+ knot_dname_storage_t owner;
+ knot_dname_unpack(owner, pkt->wire + rr_pos, sizeof(owner), pkt->wire);
+
+ knot_rrset_t rrcpy = *rr;
+ rrcpy.owner = (knot_dname_t *)&owner;
+ ret = knot_rrset_rr_to_canonical(&rrcpy);
+ if (ret != KNOT_EOK) {
+ break;
+ }
+
+ if (i > KNOT_ANSWER && knot_dname_in_bailiwick(rrcpy.owner, conts->apex->owner) < 0) {
+ continue;
+ }
+
+ zone_node_t *inserted = NULL;
+ ret = zone_contents_add_rr(conts, &rrcpy, &inserted);
+ if (ret == KNOT_ETTL) {
+ char rrtype[16] = { 0 };
+ knot_rrtype_to_string(rr->type, rrtype, sizeof(rrtype));
+ LOG_INF(level, rr->owner, "mismatched TTLs for type %s", rrtype);
+ ret = KNOT_EOK;
+ }
+ }
+ }
+ return ret;
+}
+
+static int solve_missing_apex(knot_pkt_t *pkt, uint16_t rrtype, zone_contents_t *conts,
+ kdig_validation_log_level_t level)
+{
+ if (node_rrtype_exists(conts->apex, rrtype)) {
+ return KNOT_EOK;
+ }
+ if (knot_pkt_qtype(pkt) != rrtype ||
+ !knot_dname_is_equal(knot_pkt_qname(pkt), conts->apex->owner)) {
+ return KNOT_EAGAIN;
+ }
+ int ret = rrsets_pkt2conts(pkt, conts, KNOT_ANSWER, rrtype, level);
+ if (ret == KNOT_EOK && !node_rrtype_exists(conts->apex, rrtype)) {
+ ret = KNOT_ENOENT;
+ }
+ return ret;
+}
+
+static int check_cname(kdig_dnssec_ctx_t *ctx, const knot_dname_t *cname,
+ uint16_t type, kdig_validation_log_level_t level,
+ knot_rcode_t *expected_rcode);
+
+static int check_name(kdig_dnssec_ctx_t *ctx, const knot_dname_t *name,
+ uint16_t type, kdig_validation_log_level_t level,
+ knot_rcode_t *expected_rcode)
+{
+ const knot_dname_t *where = NULL, *encloser = NULL;
+ const zone_node_t *match = NULL, *closest = NULL, *prev = NULL;
+ bool has_opt_out = false;
+ bool wc_match = knot_dname_is_wildcard(name) && !knot_dname_is_wildcard(ctx->orig_qname);
+ int ret = zone_contents_find_dname(ctx->conts, name, &match, &closest, &prev,
+ knot_dname_with_null(name));
+ if (ret < 0) {
+ return ret;
+ }
+ if (expected_rcode != NULL) {
+ *expected_rcode = KNOT_RCODE_NOERROR;
+ }
+ while ((closest->flags & NODE_FLAGS_NONAUTH)) {
+ closest = node_parent(closest);
+ }
+ if ((closest->flags & NODE_FLAGS_DELEG)) {
+ if (node_rrtype_exists(closest, KNOT_RRTYPE_DS)) {
+ LOG_FOUND(level, closest->owner, "secure delegation, DS found");
+ return KNOT_EOK;
+ } else if (has_nodata(ctx->conts, closest->owner, KNOT_RRTYPE_DS, NULL, &where)) {
+ LOG_FOUND(level, where, "insecure delegation, DS NODATA proof found");
+ } else if (has_nxdomain(ctx->conts, closest->owner, true, level, &has_opt_out, &where, &encloser)) {
+ assert(has_opt_out);
+ LOG_FOUND(level, where, "insecure delegation, opt-out proof found");
+ } else {
+ LOG_ERROR(level, closest->owner, "delegation, DS non-existence proof missing");
+ return 1;
+ }
+ } else if (ret == ZONE_NAME_NOT_FOUND) {
+ if (!wc_match && has_nsec3(ctx->conts) && has_nodata(ctx->conts, name, 0, NULL, &where)) {
+ if (has_nodata(ctx->conts, name, type, NULL, &where)) {
+ LOG_FOUND(level, where, "NSEC3 NODATA proof found");
+ return KNOT_EOK;
+ } else {
+ LOG_ERROR(level, where, "NSEC3 NODATA proof missing");
+ return 1;
+ }
+ }
+ if (node_rrtype_exists(closest, KNOT_RRTYPE_DNAME)) {
+ const knot_dname_t *dname_tgt = knot_dname_target(node_rdataset(closest, KNOT_RRTYPE_DNAME)->rdata);
+ size_t labels = knot_dname_labels(closest->owner, NULL);
+ knot_dname_t *cname = knot_dname_replace_suffix(name, labels, dname_tgt, NULL);
+ if (cname == NULL) {
+ return KNOT_ENOMEM;
+ }
+ LOG_FOUND(level, cname, "DNAME found, continuing validation");
+ ret = check_cname(ctx, cname, type, level, expected_rcode);
+ knot_dname_free(cname, NULL);
+ return ret;
+ }
+ if (has_nxdomain(ctx->conts, name, false, level, &has_opt_out, &where, &encloser)) {
+ if (wc_match) {
+ LOG_FOUND(level, where, "wildcard non-existence proven");
+ } else {
+ LOG_FOUND(level, where, "NXDOMAIN proven");
+ }
+ } else {
+ if (ctx->cname_visit > 0) {
+ LOG_INF(level, name, "CNAME/DNAME chain not returned whole, please re-query for the target");
+ return KNOT_EOK; // auth is not obligated to follow the chain whole
+ }
+ if (wc_match) {
+ LOG_INF(level, where, "wildcard non-existence proof missing");
+ } else {
+ LOG_INF(level, where, "NXDOMAIN proof missing");
+ }
+ return 1;
+ }
+ if (encloser == name) {
+ LOG_INF(level, name, "empty non-terminal detected, wildcard not applicable");
+ return KNOT_EOK;
+ }
+ if (knot_dname_is_wildcard(name)) {
+ if (expected_rcode != NULL) {
+ *expected_rcode = KNOT_RCODE_NXDOMAIN;
+ }
+ } else {
+ knot_dname_storage_t wc;
+ ret = dname_wildcard(encloser, wc, sizeof(wc));
+ if (ret != KNOT_EOK) {
+ return ret;
+ }
+ if (has_opt_out && ctx->orig_rcode == KNOT_RCODE_NOERROR &&
+ zone_contents_find_node(ctx->conts, wc) == NULL) {
+ LOG_INF(level, wc, "this is empty non-terminal NODATA unprovable due to NSEC3 opt-out, "
+ "skipping wildcard non-existence proof");
+ return KNOT_EOK;
+ }
+ LOG_INF(level, wc, "checking wildcard non/existence");
+ return check_name(ctx, wc, type, level, expected_rcode);
+ }
+ } else if (node_rrtype_exists(match, KNOT_RRTYPE_CNAME)) {
+ const knot_rdataset_t *cn = node_rdataset(match, KNOT_RRTYPE_CNAME);
+ LOG_FOUND(level, knot_cname_name(cn->rdata), "CNAME found, continuing validation");
+ return check_cname(ctx, knot_cname_name(cn->rdata), type, level, expected_rcode);
+ } else if (!node_rrtype_exists(match, type)) {
+ if (has_nodata(ctx->conts, match->owner, type, NULL, &where)) {
+ LOG_FOUND(level, where, "NSEC NODATA proof found");
+ } else {
+ LOG_ERROR(level, match->owner, "NODATA proof missing");
+ return 1;
+ }
+ } else {
+ LOG_FOUND(level, match->owner, "positive answer found");
+ }
+ return KNOT_EOK;
+}
+
+static int check_cname(kdig_dnssec_ctx_t *ctx, const knot_dname_t *cname,
+ uint16_t type, kdig_validation_log_level_t level,
+ knot_rcode_t *expected_rcode)
+{
+ if (knot_dname_in_bailiwick(cname, ctx->conts->apex->owner) < 0) {
+ return KNOT_EOK;
+ }
+ if (++ctx->cname_visit >= CNAME_LIMIT) {
+ LOG_INF(level, cname, "limit (%d) of CNAME/DNAME chain reached, giving up", CNAME_LIMIT);
+ return KNOT_EOK;
+ }
+ return check_name(ctx, cname, type, level, expected_rcode);
+}
+
+static int init_conts_from_pkt(knot_pkt_t *pkt, kdig_dnssec_ctx_t *ctx,
+ kdig_validation_log_level_t level)
+{
+ const knot_rrset_t *some_rrsig = find_first(pkt, KNOT_RRTYPE_RRSIG, KNOT_AUTHORITY);
+ if (some_rrsig == NULL) {
+ return KNOT_DNSSEC_ENOSIG;
+ }
+ const knot_dname_t *rrsig_zone = knot_rrsig_signer_name(some_rrsig->rrs.rdata);
+
+ ctx->orig_qname = knot_dname_copy(knot_pkt_qname(pkt), NULL);
+ ctx->conts = zone_contents_new(rrsig_zone, false);
+ if (ctx->orig_qname == NULL || ctx->conts == NULL) {
+ // no need to free anything, sorted by kdig_dnssec_free in any case
+ return KNOT_ENOMEM;
+ }
+ ctx->orig_qtype = knot_pkt_qtype(pkt);
+ ctx->orig_rcode = knot_pkt_ext_rcode(pkt);
+
+ int ret = rrsets_pkt2conts(pkt, ctx->conts, KNOT_AUTHORITY, 0, level);
+ if (ret != KNOT_EOK) {
+ return ret;
+ }
+
+ const knot_rrset_t *some_nsec3 = find_first(pkt, KNOT_RRTYPE_NSEC3, KNOT_AUTHORITY);
+ if (some_nsec3 != NULL) {
+ dnssec_binary_t nsec3rd = {
+ .data = some_nsec3->rrs.rdata->data,
+ .size = some_nsec3->rrs.rdata->len,
+ };
+ ret = dnssec_nsec3_params_from_rdata(&ctx->conts->nsec3_params, &nsec3rd);
+ if (ret != KNOT_EOK) {
+ return ret;
+ }
+ }
+
+ return KNOT_EOK;
+}
+
+static int dnssec_validate(knot_pkt_t *pkt, kdig_dnssec_ctx_t **dv_ctx,
+ kdig_validation_log_level_t loglevel,
+ knot_dname_t zone_name[KNOT_DNAME_MAXLEN],
+ uint16_t *type_needed)
+{
+ if (pkt == NULL || dv_ctx == NULL || zone_name == NULL || type_needed == NULL) {
+ return KNOT_EINVAL;
+ }
+
+ if (*dv_ctx == NULL) {
+ *dv_ctx = calloc(1, sizeof(**dv_ctx));
+ if (*dv_ctx == NULL) {
+ return KNOT_ENOMEM;
+ }
+
+ int ret = init_conts_from_pkt(pkt, *dv_ctx, loglevel);
+ if (ret != KNOT_EOK) {
+ return ret;
+ } else if (loglevel >= KDIG_VALIDATION_LOG_INFOS) {
+ char zn[KNOT_DNAME_TXT_MAXLEN] = { 0 };
+ knot_dname_to_str(zn, (*dv_ctx)->conts->apex->owner, sizeof(zn));
+ LOG_INF(loglevel, NULL, "for zone: %s", zn);
+ }
+ }
+
+ zone_contents_t *conts = (*dv_ctx)->conts;
+ memcpy(zone_name, conts->apex->owner, knot_dname_size(conts->apex->owner));
+
+ int ret = solve_missing_apex(pkt, KNOT_RRTYPE_DNSKEY, conts, loglevel);
+ if (ret != KNOT_EOK) { // EAGAIN or failure
+ *type_needed = KNOT_RRTYPE_DNSKEY;
+ return ret;
+ }
+
+ // revert answering quirks: wildcard expansion and CNAME synthesis
+ zone_tree_delsafe_it_t it = { 0 };
+ ret = zone_tree_delsafe_it_begin(conts->nodes, &it, false);
+ while (ret == KNOT_EOK && !zone_tree_delsafe_it_finished(&it)) {
+ zone_node_t *n = zone_tree_delsafe_it_val(&it);
+ knot_rrset_t cname = node_rrset(n, KNOT_RRTYPE_CNAME);
+ knot_rrset_t rrsig = node_rrset(n, KNOT_RRTYPE_RRSIG);
+ if (!knot_rrset_empty(&cname) && parents_have_rrtype(n, KNOT_RRTYPE_DNAME)) {
+ ret = zone_contents_remove_rr(conts, &cname, &n);
+ zone_tree_delsafe_it_next(&it);
+ continue;
+ }
+
+ uint16_t nlabels = knot_dname_labels(n->owner, NULL);
+ uint16_t rrsig_nlabels = 0;
+ uint16_t types[rrsig.rrs.count + 1];
+ ret = rrsig_types_labelcnt(&rrsig.rrs, &types[0], &rrsig_nlabels);
+ types[rrsig.rrs.count] = KNOT_RRTYPE_RRSIG;
+ if (nlabels > rrsig_nlabels && rrsig_nlabels > 0 && !knot_dname_is_wildcard(n->owner)) {
+ knot_dname_storage_t wc;
+ const knot_dname_t *stripped = dname_next_labels(n->owner, nlabels - rrsig_nlabels);
+ ret = dname_wildcard(stripped, wc, sizeof(wc));
+ for (int i = 0; i < rrsig.rrs.count + 1 && ret == KNOT_EOK; i++) {
+ ret = move_rrset(conts, n, types[i], wc);
+ }
+ }
+ zone_tree_delsafe_it_next(&it);
+ }
+ zone_tree_delsafe_it_free(&it);
+
+ if (ret == KNOT_EOK) {
+ ret = zone_adjust_contents(conts, adjust_cb_flags, adjust_cb_nsec3_flags, false,
+ true, false, 1, NULL);
+ }
+ if (ret == KNOT_EOK) {
+ ret = zone_tree_apply(conts->nodes, restore_orig_ttls, NULL);
+ }
+ if (ret == KNOT_EOK) {
+ ret = zone_tree_apply(conts->nsec3_nodes, restore_orig_ttls, NULL);
+ }
+ if (ret != KNOT_EOK) {
+ return ret;
+ }
+
+ // NOTE at this point we have complete "contents" filled with the answer, DNSKEY and their RRSIGs
+
+ knot_rcode_t expected_rcode = KNOT_RCODE_NOERROR;
+ tree_cb_ctx_t cb_ctx = { .conts = conts, .level = loglevel };
+
+ // check NSEC3 tree consistence
+ ret = zone_tree_apply(conts->nsec3_nodes, check_nsec3, &cb_ctx);
+ if (ret != KNOT_EOK) { // also '1'
+ return ret;
+ }
+
+ // check the NSEC(3) proofs relevant for the queried name
+ ret = check_name(*dv_ctx, (*dv_ctx)->orig_qname, (*dv_ctx)->orig_qtype, loglevel, &expected_rcode);
+ if (ret != KNOT_EOK) { // also '1'
+ return ret;
+ }
+
+ // check that any NSEC does not prove non-existence of anything existing
+ ret = zone_tree_apply(conts->nodes, check_existing_with_nsecs, &cb_ctx);
+ if (ret != KNOT_EOK) { // also '1'
+ return ret;
+ }
+
+ // check validity of all RRSIGs
+ kdnssec_ctx_t kd_ctx = { 0 };
+ ret = kdnssec_validation_ctx(NULL, &kd_ctx, conts, 1);
+ if (ret != KNOT_EOK) {
+ return ret;
+ }
+ kd_ctx.policy->signing_threads = 1;
+ zone_update_t fake_up = { .new_cont = conts };
+ ret = knot_zone_sign(&fake_up, NULL, &kd_ctx);
+ kdnssec_ctx_deinit(&kd_ctx);
+ if (ret == KNOT_DNSSEC_ENOSIG) {
+ char type_txt[16] = { 0 };
+ (void)knot_rrtype_to_string(fake_up.validation_hint.rrtype, type_txt, sizeof(type_txt));
+ LOG_ERROR(loglevel, fake_up.validation_hint.node, "invalid or missing RRSIG for %s", type_txt);
+ return 1;
+ } else if (ret == KNOT_EOK) {
+ LOG_FOUND(loglevel, NULL, "all RRSIGs present and valid");
+ }
+
+ // check RCODE
+ if (expected_rcode != (*dv_ctx)->orig_rcode) {
+ const knot_lookup_t *item = knot_lookup_by_id(knot_rcode_names, expected_rcode);
+ LOG_ERROR(loglevel, NULL, "expected RCODE was: %s", item->name);
+ return 1;
+ } else {
+ LOG_FOUND(loglevel, NULL, "correct RCODE found");
+ }
+
+ return ret;
+}
+
+int kdig_dnssec_validate(knot_pkt_t *pkt, kdig_dnssec_ctx_t **dv_ctx,
+ kdig_validation_log_level_t level,
+ knot_dname_t zone_name[KNOT_DNAME_MAXLEN], uint16_t *type_needed)
+{
+ int ret = dnssec_validate(pkt, dv_ctx, level, zone_name, type_needed);
+ if (ret == 1) {
+ LOG_OUTCOME(level, NULL, "Invalid!");
+ ret = KNOT_EOK;
+ } else if (ret == KNOT_DNSSEC_ENOSIG) { // ONLY the case when no RRSIG at all
+ LOG_ERROR(level, NULL, "Missing any RRSIGs.");
+ LOG_OUTCOME(level, NULL, "Invalid!");
+ ret = KNOT_EOK;
+ } else if (ret == KNOT_EOK) {
+ LOG_OUTCOME(level, NULL, "Valid!");
+ }
+
+ if (ret == KNOT_EAGAIN) {
+ char type_txt[16] = { 0 };
+ knot_rrtype_to_string(*type_needed, type_txt, sizeof(type_txt));
+ LOG_INF(level, zone_name, "need to re-query for %s", type_txt);
+ } else {
+ kdig_dnssec_free(*dv_ctx);
+ *dv_ctx = NULL;
+ }
+ return ret;
+}
+
+void kdig_dnssec_free(kdig_dnssec_ctx_t *dv_ctx)
+{
+ if (dv_ctx != NULL) {
+ zone_contents_deep_free(dv_ctx->conts);
+ free(dv_ctx->orig_qname);
+ free(dv_ctx);
+ }
+}
diff --git a/src/utils/kdig/dnssec_validation.h b/src/utils/kdig/dnssec_validation.h
new file mode 100644
index 000000000..7573e8492
--- /dev/null
+++ b/src/utils/kdig/dnssec_validation.h
@@ -0,0 +1,41 @@
+/* Copyright (C) CZ.NIC, z.s.p.o. and contributors
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ * For more information, see
+ */
+
+#pragma once
+
+#include "libknot/packet/pkt.h"
+
+struct kdig_dnssec_ctx;
+
+typedef enum {
+ KDIG_VALIDATION_LOG_NONE,
+ KDIG_VALIDATION_LOG_OUTCOME,
+ KDIG_VALIDATION_LOG_ERRORS,
+ KDIG_VALIDATION_LOG_INFOS,
+} kdig_validation_log_level_t;
+
+/*!
+ * \brief Detailed DNSSEC validation of response pkt, logging to stdout.
+ *
+ * \param pkt The packet with a DNS response.
+ * \param dv_ctx In/out: context structure persistent across calling this function.
+ * \param level Verbosity of the logging.
+ * \param zone_name Detected zone name.
+ * \param type_needed Out: RRtype to re-query for.
+ *
+ * \retval KNOT_EAGAIN The caller shall re-query the detected zone's apex (zone_name) for requested RRtye (type_needed) and call this function again with the same context (dv_ctx) and the new DNS response packet.
+ * \retval KNOT_EOK The validation successfully took place, either finding errors and logging them, or finding all OK.
+ * \return KNOT_E* An error occured so that the validation couldn't take place.
+ */
+int kdig_dnssec_validate(knot_pkt_t *pkt, struct kdig_dnssec_ctx **dv_ctx,
+ kdig_validation_log_level_t level,
+ knot_dname_t zone_name[KNOT_DNAME_MAXLEN], uint16_t *type_needed);
+
+/*!
+ * \brief Free DNSSEC validation context.
+ *
+ * \param dv_ctx Context structure to free.
+ */
+void kdig_dnssec_free(struct kdig_dnssec_ctx *dv_ctx);
diff --git a/src/utils/kdig/kdig_exec.c b/src/utils/kdig/kdig_exec.c
index c0f46d079..141d4d0f0 100644
--- a/src/utils/kdig/kdig_exec.c
+++ b/src/utils/kdig/kdig_exec.c
@@ -8,6 +8,7 @@
#include
#include
+#include "utils/kdig/dnssec_validation.h"
#include "utils/kdig/kdig_exec.h"
#include "utils/common/exec.h"
#include "utils/common/msg.h"
@@ -798,6 +799,55 @@ static int process_query_packet(const knot_pkt_t *query,
return ret;
}
+ if (query_ctx->dnssec_validation > 0) {
+#if defined(HAVE_KDIG_VALIDATION) && !defined(NO_DNSSEC_VALIDATION)
+ knot_dname_t zone_name[KNOT_DNAME_MAXLEN] = { 0 };
+ uint16_t type_needed = 0;
+ struct kdig_dnssec_ctx *dv_ctx = query_ctx->dv_ctx;
+
+ if (dv_ctx == NULL) {
+ printf("\n;; DNSSEC VALIDATION:\n");
+ }
+
+ ret = kdig_dnssec_validate(reply, &dv_ctx, query_ctx->dnssec_validation, zone_name, &type_needed);
+ if (ret == KNOT_EAGAIN) { // need to re-query to get DNSKEY
+ knot_pkt_free(reply);
+
+ query_t new_ctx = *query_ctx;
+ new_ctx.owner = knot_dname_to_str_alloc(zone_name);
+ if (new_ctx.owner == NULL) {
+ kdig_dnssec_free(dv_ctx);
+ net_close_keepopen(net, query_ctx);
+ return KNOT_ENOMEM;
+ }
+ new_ctx.type_num = type_needed;
+ new_ctx.dv_ctx = dv_ctx;
+ new_ctx.style.show_header = false;
+ new_ctx.style.show_edns = false;
+ new_ctx.style.show_footer = false;
+ new_ctx.style.show_section = false;
+ new_ctx.style.show_question = false;
+ new_ctx.style.show_authority = false;
+ new_ctx.style.show_additional = false;
+ knot_pkt_t *new_query = create_query_packet(&new_ctx);
+ if (new_query == NULL) {
+ free(new_ctx.owner);
+ kdig_dnssec_free(dv_ctx);
+ net_close_keepopen(net, query_ctx);
+ return KNOT_ENOMEM;
+ }
+ ret = process_query_packet(new_query, net, &new_ctx, ignore_tc,
+ sign_ctx, &new_ctx.style);
+ knot_pkt_free(new_query);
+ free(new_ctx.owner);
+ return ret;
+ }
+ if (ret != KNOT_EOK) {
+ ERR("DNSSEC VALIDATION failed to proceed (%s)", knot_strerror(ret));
+ }
+#endif // HAVE_KDIG_VALIDATION && !NO_DNSSEC_VALIDATION
+ }
+
knot_pkt_free(reply);
net_close_keepopen(net, query_ctx);
diff --git a/src/utils/kdig/kdig_params.c b/src/utils/kdig/kdig_params.c
index 742b28af9..feacd280c 100644
--- a/src/utils/kdig/kdig_params.c
+++ b/src/utils/kdig/kdig_params.c
@@ -275,6 +275,37 @@ static int opt_nodoflag(const char *arg, void *query)
return KNOT_EOK;
}
+static int opt_validate(const char *arg, void *query)
+{
+#if defined(HAVE_KDIG_VALIDATION) && !defined(NO_DNSSEC_VALIDATION)
+ query_t *q = query;
+
+ q->dnssec_validation = 3;
+ if (arg != NULL) {
+ if (!is_digit(arg[0]) || arg[0] < '1' || arg[0] > '3') {
+ ERR("invalid +validation=%s", arg);
+ return KNOT_EINVAL;
+ }
+ q->dnssec_validation = arg[0] - '0';
+ }
+ q->flags.do_flag = true;
+
+ return KNOT_EOK;
+#else
+ ERR("DNSSEC validation support not compiled");
+ return KNOT_ENOTSUP;
+#endif // HAVE_KDIG_VALIDATION && !NO_DNSSEC_VALIDATION
+}
+
+static int opt_novalidate(const char *arg, void *query)
+{
+ query_t *q = query;
+
+ q->dnssec_validation = 0;
+
+ return KNOT_EOK;
+}
+
static int opt_all(const char *arg, void *query)
{
query_t *q = query;
@@ -1550,6 +1581,9 @@ static const param_t kdig_opts2[] = {
{ "dnssec", ARG_NONE, opt_doflag }, // Alias.
{ "nodnssec", ARG_NONE, opt_nodoflag },
+ { "validate", ARG_OPTIONAL, opt_validate },
+ { "novalidate", ARG_NONE, opt_novalidate },
+
{ "all", ARG_NONE, opt_all },
{ "noall", ARG_NONE, opt_noall },
@@ -2377,6 +2411,7 @@ static void print_help(void)
" +[no]cdflag Set CD flag.\n"
" +[no]doflag Set DO flag.\n"
" +[no]dnssec Same as +[no]doflag.\n"
+ " +[no]validate[=LEVEL] Re-query for SOA and DNSKEY, validate DNSSEC.\n"
" +[no]all Show all packet sections.\n"
" +[no]qr Show query packet.\n"
" +[no]header * Show packet header.\n"
diff --git a/src/utils/kdig/kdig_params.h b/src/utils/kdig/kdig_params.h
index 869ae12e7..0fb54210a 100644
--- a/src/utils/kdig/kdig_params.h
+++ b/src/utils/kdig/kdig_params.h
@@ -130,6 +130,9 @@ struct query {
struct sockaddr_storage src;
struct sockaddr_storage dst;
} proxy;
+ /*!< Trigger of DNSSEC validation and related contents_t. */
+ int dnssec_validation;
+ struct kdig_dnssec_ctx *dv_ctx;
#if USE_DNSTAP
/*!< Context for dnstap reader input. */
dt_reader_t *dt_reader;
diff --git a/tests/.gitignore b/tests/.gitignore
index a4a59795f..abb593354 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -97,3 +97,4 @@
/modules/test_rrl
/utils/test_lookup
+/utils/test_kdig_validate
diff --git a/tests/Makefile.am b/tests/Makefile.am
index fc506fd4d..f93de3c9d 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -30,7 +30,8 @@ EXTRA_DIST = \
knot/test_semantic_check.in \
libzscanner/data \
libzscanner/test_zscanner.in \
- libzscanner/TESTS
+ libzscanner/TESTS \
+ utils/test_kdig_validate.in
check_LTLIBRARIES = libtap.la
@@ -45,6 +46,8 @@ libtap_la_SOURCES = \
EXTRA_PROGRAMS = tap/runtests
+check_SCRIPTS =
+
check_PROGRAMS = \
contrib/test_base32hex \
contrib/test_base64 \
@@ -164,6 +167,16 @@ endif ENABLE_XDP
if HAVE_LIBUTILS
check_PROGRAMS += \
utils/test_lookup
+
+if HAVE_KDIG_VALIDATION
+check_SCRIPTS += \
+ utils/test_kdig_validate
+
+utils/test_kdig_validate:
+ @$(edit) < $(top_srcdir)/tests/$@.in > $(top_builddir)/tests/$@
+ @chmod +x $(top_builddir)/tests/$@
+endif HAVE_KDIG_VALIDATION
+
endif HAVE_LIBUTILS
if HAVE_DAEMON
@@ -220,7 +233,7 @@ libzscanner_zscanner_tool_SOURCES = \
libzscanner/processing.h \
libzscanner/processing.c
-check_SCRIPTS = \
+check_SCRIPTS += \
libzscanner/test_zscanner
edit = $(SED) \
diff --git a/tests/utils/test_kdig_validate.in b/tests/utils/test_kdig_validate.in
new file mode 100644
index 000000000..120825d98
--- /dev/null
+++ b/tests/utils/test_kdig_validate.in
@@ -0,0 +1,126 @@
+#!/bin/sh
+# Copyright (C) CZ.NIC, z.s.p.o. and contributors
+# SPDX-License-Identifier: GPL-2.0-or-later
+# For more information, see
+
+BUILDROOT="@top_builddir@"
+SRCROOT="@top_srcdir@"
+
+. "@top_srcdir@/tests/tap/libtap.sh"
+
+TMPDIR=$(cd $(test_tmpdir) && pwd)
+if [ -f /etc/crypto-policies/config ] || [ ${#TMPDIR} -gt 85 ]; then
+ diag "Test not compatible with strict crypto policy or too long unix socket paths"
+ skip_all
+ exit 0
+fi
+
+SCN=$TMPDIR/scenario.txt
+CONF=$TMPDIR/knot.conf
+RUNDIR=$TMPDIR/run
+LISTEN=$RUNDIR/listen
+LISTEN_CTL=$RUNDIR/ctl
+VALGRIND=
+
+if [ "$2" = "v" ]; then
+ VALGRIND="valgrind --leak-check=full --show-leak-kinds=all"
+fi
+
+cat << EOF > $SCN
+delegation.signed deleg A NOK! DS.NODATA.*found x.deleg A NOK! DS.NODATA.*found
+different_signer_name.signed dns1 A OK! answer.found dns1 TXT NOK! NODATA.*found
+dname_apex_nsec3.signed foo A OK! limit.*of.*DNAME x TXT OK! limit.*of.*DNAME
+dnskey_keytags.many dns1 A FAILED many.*keytag dns2 A FAILED many.*keytag
+no_rrsig.signed dns1 AAAA NOK! missing.RRSIG.*NSEC dns2 A NOK! missing.RRSIG.*NSEC
+no_rrsig_with_delegation.signed deleg A NOK! any.RRSIG deleg DS NOK! missing.RRSIG.*NSEC
+nsec_broken_chain_01.signed eee A NOK! invalid.*RRSIG.*NSEC zzz A OK! wildcard.non.*proven
+nsec_broken_chain_02.signed eee A OK! wildcard.non.*proven zzz A NOK! wrongly.proves.NXDOMAIN
+nsec_missing.signed www AAAA NOK! NXDOMAIN.*missing dns2 A NOK! invalid.*RRSIG.*NSEC
+nsec_multiple.signed www AAAA NOK! wrongly.proves.NXDOMAIN zzz A NOK! wrongly.proves.NXDOMAIN
+nsec_nonauth.invalid nonauth.deleg NS NOK! invalid.*RRSIG.*DNSKEY nonauth.deleg DS NOK! invalid.*RRSIG.*DNSKEY
+nsec_wrong_bitmap_01.signed www A OK! answer.found www AAAA NOK! NODATA.*missing
+nsec_wrong_bitmap_02.signed www A OK! answer.found www AAAA NOK! invalid.*RRSIG.*NSEC
+nsec3_chain_01.signed deleg A NOK! invalid.*RRSIG.*NSEC3 dns2 A NOK! overlapping.*NSEC3
+nsec3_chain_02.signed deleg A OK! DS.NODATA.*found dns2 A NOK! overlapping.*NSEC3
+nsec3_chain_03.signed deleg A NOK! invalid.*RRSIG.*NSEC3 dns2 A NOK! overlapping.*NSEC3
+nsec3_missing.signed extra AAAA NOK! NXDOMAIN.*missing extrb A NOK! invalid.*RRSIG.*NSEC3
+nsec3_optout_ent.all x.deleg2.ent A OK! opt-out.*found ent A OK! NODATA.*unprovable
+nsec3_optout_ent.invalid x.deleg1.ent A OK! DS.NODATA.*found ent A OK! NODATA.*unprovable
+nsec3_optout_ent.valid x.deleg1.ent A OK! DS.NODATA.*found ent A OK! NODATA.*found
+nsec3_optout.signed zzz A NOK! DS.non.*missing xx.zzz A NOK! DS.non.*missing
+nsec3_param_invalid.signed dns1 A OK! answer.found dns2 A NOK! any.RRSIG
+nsec3_wrong_bitmap_01.signed example.com. DNSKEY OK! answer.found example.com. SSHFP NOK! wrongly.proves.NODATA
+nsec3_wrong_bitmap_02.signed dns1 TXT NOK! invalid.*RRSIG.*NSEC3 dns1 NSEC NOK! NODATA.*missing
+rrsig_rdata_ttl.signed dns1 A NOK! invalid.*RRSIG.*A dns1 TXT OK! NODATA.*found
+rrsig_signed.signed dns1 A OK! answer.found dns1 RRSIG OK! answer.found
+rrsig_ttl.signed dns1 A OK! answer.found dns1 AAAA OK! NODATA.*found
+EOF
+
+cat << EOF > $CONF
+server:
+ rundir: $RUNDIR
+ listen: $LISTEN
+ tcp-workers: 1
+ udp-workers: 1
+ background-workers: 1
+control:
+ listen: $LISTEN_CTL
+database:
+ storage: $RUNDIR
+ timer-db-sync: never
+zone:
+ - domain: example.com.
+ storage: $RUNDIR
+ file: example.com.zone
+log:
+ - target: stdout
+ any: debug
+EOF
+
+plan $(( $(cat "$SCN" | wc -l) * 4 ))
+
+q() {
+ QN="$2"
+ OUTCOME=$(echo "$4" | sed 's/NOK/Invalid/;s/OK/Valid/;s/FAILED/VALIDATION failed to proceed/')
+ case "$QN" in
+ *.) ;;
+ *) QN="$QN.example.com." ;;
+ esac
+ CMD="$VALGRIND $BUILDROOT/src/kdig @$LISTEN +tcp +validate +nocrypto $QN -t $3"
+ echo "$1 $CMD" >&2
+ RESP=$(sh -c "$CMD" 2>&1)
+ echo "$RESP" >&2
+ echo "$RESP" | grep -q "$OUTCOME"
+ ok "$1 outcome '$OUTCOME'" test $? -eq 0
+ echo "$RESP" | grep -q "$5"
+ ok "$1 point '$5'" test $? -eq 0
+}
+
+rm -rf $RUNDIR; mkdir $RUNDIR
+$BUILDROOT/src/knotd -c $CONF > $RUNDIR/knot.log &
+PID=$!
+while ! grep -q 'server started' $RUNDIR/knot.log; do
+ sleep 0.02
+ continue
+done
+
+i=0
+while read ZFILE QNAME QTYPE OUT POINT QNAME2 QTYPE2 OUT2 POINT2; do
+ i=$((i+1))
+ if [ -n "$1" ] && [ "$1" != "$i" ]; then
+ continue
+ fi
+ NLOADED_WAS=$(grep -c 'loaded, serial' $RUNDIR/knot.log)
+ cat $SRCROOT/tests/knot/semantic_check_data/$ZFILE > $RUNDIR/example.com.zone
+ $BUILDROOT/src/knotc -s $LISTEN_CTL -f zone-reload >&2
+ while [ $(grep -c 'loaded, serial' $RUNDIR/knot.log) = "$NLOADED_WAS" ]; do
+ sleep 0.02
+ done
+ q "(${i}a)" "$QNAME" "$QTYPE" "$OUT" "$POINT"
+ q "(${i}b)" "$QNAME2" "$QTYPE2" "$OUT2" "$POINT2"
+done < "$SCN"
+
+
+kill -TERM $PID
+sleep 0.1
+rm -rf $RUNDIR $SCN $CONF